How to capture a FTP session password with tcpdump.

Posted: July 17, 2017. At: 1:02 PM. This was 1 month ago. Post ID: 10942

How to capture packets from a network with tcpdump and get an FTP login password.

I used this tcpdump command line to capture packets traveling over my network, this was intended to capture an FTP login. I am using an Anonymous login as a example, but there is still a password involved. This way, I can capture an FTP login easily, if I know someone on the network is doing FTP tasks.

localhost /home/jason # tcpdump -A port ftp -i wlp2s0 > dump.out

Now I can get the FTP password from the capture file.

localhost /home/jason # cat dump.out | grep PASS
01:59:57.344755 IP 10.1.1.219.36564 > ftp6.gwdg.de.ftp: Flags [P.], seq 17:43, ack 199, win 237, options [nop,nop,TS val 2057831 ecr 1933241270], length 26: FTP: PASS mozilla@example.com
..fgs:..PASS mozilla@example.com

That is how I managed to capture packets from a FTP session without needing Wireshark installed.

To get information about hosts on a network, use the netdiscover command as root.

┌─[][root@parrot][/home/user]
└──╼ # netdiscover -r 10.1.1.0/24

This is the output that you should get, this shows the IP and MAC addresses of all network nodes.

 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                             
 
 9 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 540                                                                           
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 10.1.1.1        e0:b9:e5:b8:31:ba      7     420  Technicolor                                                                             
 10.1.1.40       00:13:46:3a:02:83      1      60  D-Link Corporation                                                                      
 10.1.1.184      f0:25:b7:fa:01:4a      1      60  Unknown vendor

Another way to scan for live hosts on a LAN is with Nmap. This example will return only live hosts on the network.

┌─[root@parrot][/home/user]
└──╼ # nmap -sP -PA21,22,25,3389 10.1.1.0/24 #21 is used by ftp
 
Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-17 12:57 UTC
Nmap scan report for dsldevice.lan (10.1.1.1)
Host is up (0.00054s latency).
MAC Address: E0:B9:E5:B8:31:BA (Technicolor)
Nmap scan report for BLUFOR.lan (10.1.1.40)
Host is up (-0.088s latency).
MAC Address: 00:13:46:3A:02:83 (D-Link)
Nmap scan report for 10.1.1.184
Host is up (-0.091s latency).
MAC Address: F0:25:B7:FA:01:4A (Samsung Electro-mechanics(thailand))
Nmap scan report for parrot.lan (10.1.1.7)
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 19.41 seconds

No comments have been made. Use this form to start the conversation :)

Leave a Reply